CVE-2023-22736

Name of the Vulnerable Software and Affected Versions Argo CD versions 2.5.0-rc1 through 2.5.7 Argo CD version 2.6.0-rc4

Description The issue is related to an authorization bypass bug in Argo CD, a declarative, GitOps continuous delivery tool for Kubernetes. This bug allows a malicious Argo CD user to deploy Applications outside the configured allowed namespaces. The bug is triggered when the Application is updated, and the attacker must be able to cause an update operation on the Application resource. The sourceNamespaces field of AppProjects acts as a secondary check against this exploit. The bug only applies to users who have explicitly enabled the "apps-in-any-namespace" feature and have sharding enabled on the Application controller.

Recommendations For Argo CD versions 2.5.0-rc1 through 2.5.7, update to version 2.5.8 to resolve the issue. For Argo CD version 2.6.0-rc4, update to version 2.6.0-rc5 to resolve the issue. As a temporary workaround, consider running only one replica of the Application controller to prevent exploitation of this bug. Restrict all AppProjects' sourceNamespaces within the confines of the configured Application namespaces to minimize the risk of exploitation.